Certificates

New
  • Updated on Oct 27, 2025
  • 3 minute(s) read
Prev Next

An expiring SSL certificate on test.com, such as one from Google Trust Services set to lapse on 2025-09-03, often slips past renewal checks amid rapid infrastructure changes. Is it a minor glitch, or an open window for MITM attacks and service outages? Siloed cert trackers across CAs and CDNs fragment oversight, leaving blind spots in your TLS posture.

The Certificates tab lists all SSL/TLS certificates associated with a domain or its IPs, highlighting expirations, issuers, and states in Total View. It surfaces risks via urgency cards (e.g., 0 due in 24 hours) and issuer distributions, while the details table breaks down fingerprints, validity windows, and scan contexts, arming teams to harden Encryption before exploits hit.

This tab leverages Silent Push's web scanning and passive DNS pulls, complementing Web Search for content ties and Threat Feeds for correlated alerts on weak certs.

Why is it useful?

Lapsed or misissued certificates enable eavesdropping, spoofing, or compliance failures, as in breaches where unmonitored expirations exposed e-commerce flows. This tab flags concentrations and timelines, enabling SOCs to proactively triage renewals, a vital function for stretched teams auditing 6+ certs across IPs. It identifies anomalies, such as revoked entries indicating compromise, which helps streamline hygiene and vendor risk assessments in defender routines.

Teams link findings to broader hunts, such as expiring certs that align with Threat Feeds spikes, which are essential for PCI-DSS audits or zero-trust rollouts.

How does it work?

Silent Push's aggregation engine scans live IPs and historical data for certificate chains, compiling inventories without third-party dependencies. Urgency cards filter by horizons (24h/30d); the issuers’ graph visualizes diversity; the table sorts by status (e.g., two active, 4 expired).

  • Interconnections: A Google-issued cert might echo Web Search redirects, while feeding Threat Feeds for exploit intel on weak issuers.

  • Filters and compares drill-down data: For example, clicking the 30-day card isolates that lone at-risk entry, ensuring gap-free TLS visibility.

Generate a set of results

Input a domain (e.g., test.com) in the search bar to open Total View, then click the Certificates tab.

Example

Query test.com in Certificates: The “Due to Expire" status shows 0 in 24 hours (red) and 1 in 30 days (orange), with the issuers’ graph peaking at four for Google Trust Services amid six total. Total Results: 6 (2 Active, 4 Expired).

The table highlights an expired entry:

  • SHA256: 12:7b:43:30:ef:f0:a6:f6...

  • Issuer: Google Trust Services

  • Not Before: 2025-05-04 11:30:32

  • Not After: 2025-08-12 19:59:52

  • IPs Scanned On: 2

  • Status: Expired

are tied to a potential outage vector.

Another active one:

  • SHA256: ed:55:5b:ec:88:40:c1:9...

  • Not After: 2025-11-28 21:48:03

flags ongoing coverage.

  • Hover the graph bar for notes: Description warns of Google’s mono-reliance risking CA outages.

Overview of certificate expiration status for test.com, highlighting active and expired certificates.

Fields

  • ssl.SHA256: The unique SHA-256 fingerprint (e.g., 12:7b:43:30:ef:f0:a6:f6...), for verifying cert integrity against known goods or revocations.

  • ssl.issuer.organization: The issuing entity (e.g., Google Trust Services), with graphs revealing over-reliance that could cascade failures.

  • ssl.not.before: Validity start (e.g., 2025-05-04 11:30:32), anchoring issuance timelines for anomaly hunts.

  • ssl.not.after: Expiration date (e.g., 2025-08-12 19:59:52), fueling urgency filters—post-2025-10-13 views flag overdue ones as high-risk.

  • IPs Scanned On: Detection contexts (e.g., 2 IPs like 203.0.113.5), linking certs to live hosts for pivotable enrichment.

  • Status: Lifecycle state (e.g., Active, Expired, Revoked), color-coded for triage—e.g., Expired in red prompts immediate renewals.

Certificates view

The details table logs all certificates with expandable attributes for forensics. For bare domains like example.io, it may yield sparse results under 3.

It includes fingerprints (e.g., truncated hashes), full issuer chains, validity spans, and IP ties. Expand for diffs: Active windows in green, expired gaps in red. Hover rows for expanded info: Chain depths, revocation checks, and pivot links to Web Scanner or external CRLs.

Use case

Audit issuer diversity, like Google-heavy setups, is vulnerable to targeted CA disruptions in phishing campaigns.

Certificate results

The tab enables bulk ops via Select All (e.g., Copy for ticketing), Choose Field Names for custom views, and Download CSVs for CA reports. Toggle Basic Raw Data for unparsed fields like raw subjects, use Compare to diff issuances across IPs, or Save To feeds/drafts for expiration monitoring.

Tips

  • Triage expirations: First, enter the In 24 Hours card for fire-drill priorities, then expand to 30 Days for queued renewals.

  • Scrutinize graphs: Scan issuer bars for red flags, such as single-vendor dominance, and cross-check with Threat Feeds for compromised CAs.

  • Layer intel: Pair with Web Search to trace active certificates to suspicious redirects.